New EU Privacy regulation implies an important change for every non-EU company, dealing with EU citizens. The General Data Protection Regulation (the GDPR) gives all individuals the right to a judicial remedy. The key change is that individuals may bring a claim against a company that breaches the privacy rules.
High fines for breaches
Minor breaches of the data protection rules may lead to a fine of up to €10,000,000 or 2% of the company’s total annual turnover for the preceding financial year, whichever is the higher value. Major breaches may lead to fines of up to €20,000,000 or up to 4% of global turnover (whichever is higher).
Every non-EU company
The new EU rules on privacy apply to every non-EU company. So, every company dealing with personal data relating to offering goods or services to EU citizens, or monitoring EU citizens’ behaviour occurring within the EU. The General Data Protection Regulation comes into force on 25 May 2018. It is a European Union regulation, meaning that once it comes into force, it will have direct effect across the whole union.
What do you need to do now? 4 essential steps
Doing nothing is no option, so every non-EU company should start with the following four steps (and quickly after that, take 11 steps more!)
- Identify all the personal data which you process, where it is held and how it is processed.
- Identify and log your data flows, especially where recipients are located in non-EU countries.
- Review your data protection policies and data processes.
- Download the GDPR Guidance at www.interactlaw.com/gdpr for 11 more steps, a lot of extra information, and a Q&A about GDPR.